Poor, underfunded cyber defenses across the agriculture and food production supply chains are placing everyone at risk.

This two-part blog will first examine the threats and risks inherent in the agriculture and food production supply chain. Under-resourced and under-invested, our food infrastructure is at risk from much more than the supply disruptions caused by COVID-19.

Agriculture and food production; a critical infrastructure

When COVID-19 was at its peak, few industries could operate as usual, with offices shuttered to minimize the rapid spread of the deadly disease. Although agriculture and food production were profoundly affected by the pandemic, the workers in these industries were some of the few who were still required to go to work in warehouses and manufacturing plants, farms, and distribution centers across the country.

Agriculture and food production are considered critical infrastructure, defined to the federal government as – “…whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” (1)

Beyond critical infrastructure, food and agriculture also serve as national critical functions (NCFs), which are defined as “…functions of government and the private sector so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”

The critical nature of this industry also means they are targeted by various adversaries, from profit-seeking ransomware attackers to politically motivated nation-state attackers. One would think that defending this industry and its integrated supply chains should be a priority, but for many reasons, it is not. This critical infrastructure is open to and too often falls victim to cyberattacks.

The Cybersecurity and Infrastructure Security Agency (CISA) defines agriculture and food production as one of 16 critical industry sectors. It is an enormous industry comprising approximately 2.1 million farms, 200,000 production, and processing facilities, 63,000 grocery stores(2), and over 930,000 restaurants. Here we begin to see why it is so difficult to protect – millions of organizations, most of them small businesses, connected by complex and overlapping supply chains.

Attacks Across the Sector

It is no wonder that attacks against agriculture and food production organizations have been increasing. Ransomware attacks against JBS meat processing and AGCO, each netting over $11 million back in 2021(3), were just the tip of the iceberg. There were also multiple attacks against agricultural cooperatives during the 2021 harvest season, and in 2022, two cooperatives fell victim to attacks. There has even been an FBI advisory sent to US, Australia, and UK food and agriculture companies that are likely to be targeted by nation-state attackers during this harvest season.(4) The 2022 attacks, one in February and another in March, targeted grain processors and feed mills with Lockbit 2.0 ransomware.

In September of 2021, during harvest season, Crystal Valley Minnesota Cooperative was attacked, locking livestock feed orders for 25 million bushels of grain, and had to rely on other local cooperatives in the area to meet demand. Crystal Valley worked closely with the FBI to recover from the attack and did not pay the ransom.(5)

That same month in Iowa, the NEW Cooperative was also attacked by the BlackMatter group forcing the food storage and distribution to shut down their automated clearing house systems and shift to paper tickets for months while they recovered. As in most industries, most attacks (upwards of 75%)(6) on these smaller organizations go unreported.

Why is the food supply so at risk?

Risk across the agriculture and food production industry begins with complexity. As mentioned above, millions of organizations are involved in this supply chain; most are small and operating on razor-thin margins. Also, most of these organizations do not have dedicated cybersecurity analysts and few IT staff, nor have the resources to hire them.

The industry, as a whole, began moving toward digitalization and 24X7 information sharing across farmers, distributors, transportation companies, processors, and retail groceries to help improve efficiency and drive greater profits. COVID-19 drove even faster digitalization. The speed of movement to technology reliance to meet supply needs left cyber defenses a low priority. The result is risk and vulnerabilities across the entire sector.(7)

For many organizations, existing OT systems critical to production were connected to the Internet with no cyber defenses(8). The adoption of newer IoT and cloud systems are consuming budgets leaving little for cybersecurity tools. The worst scenario, feared by oversight agencies, is a major nation-state-sponsored attack against an entire country’s agriculture and food production industry, on a scale greater than NotPetya(9), which cost food-producing giant Mondelez over $100 million in lost revenue.(10)

A Missed Opportunity

On June 1st of this year, the USDA announced a multi-million-dollar program to create more resilience in the US food supply chain.(11) Developed from a mix of administration goals and lessons learned from the COVID19 epidemic, this funding program covers areas including developing new food processing plants and distribution centers, food equality programs, and healthy food availability programs. Sadly, none of these multi-billion-dollar investment programs nor the many initiatives it contains seems to focus on cybersecurity-driven resilience. Subsidizing the investment in improved OT/IoT systems and upgrades to cyber defenses, the investment in cyber defense tools, human resource training and better methods of sharing cyber intelligence all would have gone a long way to creating greater resilience in the face of growing attacks.

So, what can the agriculture and food production organizations do?

Next week’s blog will cover how coops and industry professional organizations are laying out standards and audit models to help enforce improved security hygiene. The blog will also include a curated list of helpful standards, support, and best practice resources for IT and cyber professionals working to protect their organizations and participate in new integrated supply chain opportunities.

References:

  1. https://www.cisa.gov/food-and-agriculture-sector
  2. https://www.ibisworld.com/industry-statistics/number-of-businesses/supermarkets-grocery-stores-united-states
  3. https://www.cnbc.com/2021/06/09/jbs-paid-11-million-in-response-to-ransomware-attack-.html
  4. https://www.cybersecuritydive.com/news/food-supplier-cyber-risk-spreads-jbs/
  5. https://www.food-safety.com/articles/7556-covid-19-the-food-supply-and-cybersecurity-coalescing-concerns
  6. https://www.cybersecuritydive.com/news/senate-ransomware-cisa/624369/
  7. https://eandt.theiet.org/content/articles/2022/05/agricultural-sector-at-risk-of-cyber-attacks-researchers-warn/
  8. https://www.foodengineeringmag.com/articles/99362-control-system-vulnerabilities-put-food-beverage-at-serious-risk
  9. https://www.business-standard.com/article/technology/notpetya-how-a-russian-malware-created-the-world-s-worst-cyberattack-ever-118082700261_1.html
  10. https://www.foodbusinessnews.net/articles/9725-mondelez-not-yet-back-to-normal-from-cyber-attack
  11. https://www.usda.gov/media/press-releases/2022/06/01/usda-announces-framework-shoring-food-supply-chain-and-transforming

Bill Munroe

VP Marketing, CyGlass